---

Swiss Vans Ltd – Cyber Security Policy

Last updated: October 2025
Applies to: All employees, contractors, partners, and third-party suppliers of Swiss Vans Ltd
Contact: security@swissvans.com

---

1. Purpose

Swiss Vans Ltd (“we”, “our”, “us”) is committed to protecting the confidentiality, integrity, and availability of all data, systems, and services under our control.
This Cyber Security Policy sets out our principles and responsibilities for safeguarding company information, customer data, and IT infrastructure against cyber threats, accidental loss, or unauthorised access.

---

2. Scope

This policy applies to:

• All information systems, computers, servers, networks, mobile devices, cloud platforms, and email accounts owned or operated by Swiss Vans Ltd;
• All employees, contractors, and third parties with access to company systems or data;
• All customer, supplier, and business data processed, stored, or transmitted by the company.

It covers both on-premise and remote working environments.

---

3. Objectives

Our cyber-security objectives are to:

1. Protect sensitive information (business, employee, and customer data).
2. Prevent unauthorised access, modification, or destruction of data.
3. Ensure business continuity and rapid recovery from incidents.
4. Maintain compliance with the UK GDPR, the Data Protection Act 2018, and other relevant legislation.
5. Promote a culture of security awareness among all staff.

---

4. Key Principles

1. Confidentiality – Access to data is restricted to authorised individuals.
2. Integrity – Data must remain accurate and complete.
3. Availability – Systems and information are accessible to authorised users when needed.
4. Accountability – Every employee shares responsibility for protecting company and customer data.

---

5. Roles and Responsibilities

Role	Responsibilities
Managing Director	Overall accountability for cyber security governance.
IT Manager / Security Officer	Maintains security infrastructure, policies, incident response, and audits.
Employees & Contractors	Follow this policy, report incidents, protect passwords, and use systems responsibly.
Third-Party Suppliers	Maintain security standards equal to or above Swiss Vans Ltd’s requirements.

---

6. Access Control

• User accounts are created on a need-to-know, least-privilege basis.
• Multi-factor authentication (MFA) is enabled wherever technically possible.
• Passwords must be unique, complex, and changed regularly.
• Shared accounts are prohibited except where specifically authorised.
• Access rights are reviewed quarterly and revoked immediately when employment or contracts end.

---

7. Device and Network Security

• All company devices must have up-to-date antivirus software, firewall protection, and automatic operating-system updates enabled.
• Personal devices (BYOD) may only connect to company resources if authorised and protected by security controls.
• USB drives and external storage must be encrypted and scanned before use.
• Wi-Fi networks are protected by strong encryption (WPA3 or equivalent).
• Remote access uses secure VPN connections only.

---

8. Data Protection & Encryption

• Confidential data (including customer and finance information) must be encrypted in transit and at rest.
• Sensitive files must not be stored locally on personal or unencrypted devices.
• Cloud storage (e.g. Google Drive, Microsoft 365) must have enforced MFA and access logging.
• Emails containing personal or financial data should be encrypted or sent via secure portals.
• Regular data backups are maintained and tested for restoration integrity.

---

9. Software & Patch Management

• Only approved software may be installed on company devices.
• Automatic patching must be enabled for all systems and applications.
• Unsupported or end-of-life software is removed immediately.
• The IT Manager monitors vendor advisories and ensures timely updates.

---

10. Email & Internet Use

• Company email accounts are for authorised business purposes only.
• Do not open suspicious links or attachments.
• Verify sender details on unexpected requests for information or payments.
• Internet use must comply with company acceptable-use rules; illegal or inappropriate sites are prohibited.
• Phishing awareness training is mandatory for all staff.

---

11. Incident Detection & Response

• All employees must report suspected cyber incidents immediately to the Security Officer at security@swissvans.com.
• Incidents include: phishing emails, data loss, malware infection, unauthorised access, or system compromise.
• The IT Manager will:
  • Contain and investigate the incident;
  • Record findings in the incident log;
  • Notify management and the DPO (if personal data affected);
  • Report breaches to the Information Commissioner’s Office (ICO) within 72 hours if legally required;
  • Communicate with affected parties where necessary.

---

12. Physical & Environmental Security

• Office IT equipment is protected by controlled access, CCTV, and secure locks.
• Portable devices must not be left unattended in public or unlocked vehicles.
• Server and networking rooms are accessible only to authorised personnel.

---

13. Supplier & Third-Party Security

• All third-party suppliers with access to company data or systems must sign a Data Processing Agreement and meet Swiss Vans’ security standards.
• Vendor access is logged, monitored, and reviewed regularly.
• Suppliers must notify us immediately of any security incidents affecting our data.

---

14. Training & Awareness

• All staff receive annual cyber-security awareness training, including phishing, password hygiene, and secure remote working.
• New employees complete mandatory induction training within their first 30 days.
• Periodic simulated phishing campaigns are conducted to measure awareness.

---

15. Business Continuity & Backup

• Regular data backups are performed daily and stored securely offsite or in a certified cloud environment.
• Disaster-recovery testing is conducted annually to verify backup integrity.
• Key business systems have redundancy and failover procedures.

---

16. Monitoring & Auditing

• System activity, network logs, and access events are monitored for suspicious behaviour.
• Annual audits are carried out by the IT Manager and reviewed by senior management.
• Findings and actions are documented in a Cyber Security Report.

---

17. Policy Compliance

Failure to comply with this policy may result in disciplinary action, suspension of access rights, or legal action where appropriate.
Serious or repeated breaches will be reported to senior management and may lead to termination of employment or contracts.

---

18. Review & Updates

This policy is reviewed annually or when significant business, technological, or regulatory changes occur.
The next review date: October 2026

---

Contact

Cyber Security Team
Swiss Vans Ltd
Bridgend, Wales CF31 3TP
? security@swissvans.com
? www.swissvans.com